Authentication, authorization and acounting is commonly called AAA. If you have more than a few network devices using local user accounts is not a scalable solution. The solution is to centralize the authentication either via a TACACS+ or a RADIUS server. It is more common to use a TACACS server. Cisco has their own TACACS server which is called Cisco ACS. To setup authentication we need to do some configuration. Many of us might have pasted the commands in from some template but do we really know what every command does? I will show a way to setup AAA and what the different commands do.
We need an enable password configured. We will see why later in the configuration.
We need this account for local authentication if we loose contact with the TACACS server.
This enables AAA, without this the other AAA commands have no effect.
This is to configure what servers will be used for TACACS and the key needed.
When the user logs in check with TACACS first and if that is not available use a local user account. The word default in this command is a listname. You can use a different listname if you want but default works fine unless you need several lists.
When using enable check with TACACS first and if that is not available use the local enable secret password.
Check if user has the right to an exec shell. Check with TACACS first and then local if TACACS is unavailable. If-authenticated means that if an user has authenticated and later the TACACS server goes down the user can still do configuration. If we don’t use a backup option to TACACS, authorization will fail if the TACACS server goes down, that is why we use the local database as a fallback. If-authenticated means the user can continue to configure if there is no source available to do authorization.
Authorize commands from global config mode.
Authorize commands that have a privilege level of 1.
Authorize privilege level 15 commands.
These commands are used to setup accounting. Accounting is used to log what users do when logged in. We turn on accounting for when an user gets an exec shell and for privilege level 1 and 15 commands. We also want to log connections that the user does and system events.